Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II) Forum
Showing results for 
Search instead for 
Do you mean 

Active Directory and ILO2, I am almost there!!!!

Active Directory and ILO2, I am almost there!!!!

OK I have been at setting up LDAP authentication through ad and ILO for about a week and have gotten really close and have tried every tid out there but still have one outstanding issue.

I am able to login with my DN string
CN=Test\, Dan,CN=Users,DC=ad,DC=domain,DC=com
(I got the string from the ldp utility and if it was not for a poster I would never have figured out the \ after Test)

I then was able to add
CN=Users,DC=ad,DC=domain,DC=com
to the Directory User Context 1: and now I can login with just Test\, Dan.

Obviously I can't leave it like this because users aren't gogin to know there DN especially with the \ after there last name.

I am looking to do what everyone else is trying to do and that is to be able to use the login name that is "dtest" for this user. I have tried adding the @ad.domain.com to the Directory User Context and that did not work.

I did see that there was mention of Active X having to be enabled and I have setup my active x setttings for "Internet" for the following
Allow previously unused ActiveX controls to run without prompt
Disable
Allow Scriptlets
Disable
Automatic prompting for ActiveX controls
Disable
Binary and script behaviors
Enable
Display video and animation on a webpage that does not use external media player
Disable
Download signed ActiveX controls
Prompt
Download unsigned ActiveX controls
Disable
Initialize and script ActiveX controls not marked as safe for scripting
Prompt
Run ActiveX controls and plug-ins
Enable
Script ActiveX controls marked as safe for scripting*
Enable

With no luck

Now I am not sure if there is a group policy pushing down to deny the active x ability to run and if anyone know the key to check that would be great.

well that is where I stand and if anyone knows of any more things to check that would be great.
14 REPLIES
Trusted Contributor

Re: Active Directory and ILO2, I am almost there!!!!

Is your users in a group called test? ie CN=Test,CN=Users,DC=ad,DC=domain,DC=com. If so, add CN=TEST to your contest.

Your client needs to be in the same domain as your directory server for the short name to work. Try dtest@ad.domain.com.
Need to enable
Initialize and script ActiveX controls not marked as safe for scripting

Re: Active Directory and ILO2, I am almost there!!!!

Hey BWC,

I do have a group similar to test called iLO (has the user dtest in it) so I added that to the string
CN=iLO,CN=Users,DC=ad,DC=domain,DC=com
I also made the change to the active X and tried logging in with dtest@ad.domain.com, ad.domain.com\dtest all without success.
Valued Contributor

Re: Active Directory and ILO2, I am almost there!!!!

Please try modifying the following settings from the Network settings page
(Administration->Network) which would help the directory user to login with "Email"(loginname@domain) and "NetBios name"(domain/loginname)
formats.

Primary/Secondary/Tertiary DNS Server
The Primary/Secondary/Tertiary DNS server IP address should be same
as the Active directory server IP address.

Domain Name
This domain should be same as the domain for which the
Active directory server is configured.


One other suggestion
Please ensure "Directory Server Address" under "Administration->Security->Directory" has "FQDN"(Fully qualified
domain name) instead of IP address.
Example : test.rind.com

Re: Active Directory and ILO2, I am almost there!!!!

Hi M.S

I did what you said and:

-Primary/Secondary/Tertiary DNS Server
The Primary/Secondary/Tertiary DNS server IP address should be same
as the Active directory server IP address.

It is, I only have one AD server in this test environment and it is also the only dns server.

-Domain Name
This domain should be same as the domain for which the
Active directory server is configured.

It is, ad.domain.com

-One other suggestion
Please ensure "Directory Server Address" under "Administration->Security->Directory" has "FQDN"(Fully qualified
domain name) instead of IP address.
Example : test.rind.com

This also was setup correctly.


I tried logging in as ad.domain.com/dtest and it did not work. It came up as unauthorized. Man this is a good one..
Trusted Contributor

Re: Active Directory and ILO2, I am almost there!!!!

Since you are able to login with Test\,Dan; I believe your setup is correct. The problem is with the context. iLO is not able to find your users in the context specified in iLO.

Do you have a Container (folder) called Test? I used the wrong term of group earlier.

If you look at the User property for Account Dan, does it show "User logon name" as Dan follow by @ad.domain.com or is it Dtest?

If above is true. Then you should be able to login as ad.domain.com\dan or dan@ad.domain.com

Is it possible to get a screenshot of your mmc for the "AD Users and Computers" where the users are located?
Trusted Contributor

Re: Active Directory and ILO2, I am almost there!!!!

ad.domain.com\dtest may not work. Try using ad\dtest or dtest@ad.domin.com. Assuming dtest is your login name.

Re: Active Directory and ILO2, I am almost there!!!!

Hey BWC,

I dontt have a container called test. I have one called ilo so in ad under the USERS group I created the user dtest and also in the USERS folder I created the group ilo and added the user dtest to the ilo group. Is that the issue? Should the group ILO not be ing the USERS group that is created with AD? rather it should be under a new ou? I can get screen shots tomorow because it is in our test environment.

As far as this question
If you look at the User property for Account Dan, does it show "User logon name" as Dan follow by @ad.domain.com or is it Dtest?

it is dtest then @ad.analog.com
Trusted Contributor

Re: Active Directory and ILO2, I am almost there!!!!

Dan,

If the users and groups are in the Users container, iLO should be able to locate the users. To make it simple to trouble shoot, go ahead and remove the group for now.
Are you using the "extended schema" method?

Re: Active Directory and ILO2, I am almost there!!!!

No I am using the default schema or Schema-less approach. so you are saying to remove the user from the ilo group adn leave it in the users group? so the search context and the administrator group string would just be
CN=Users,DC=ad,DC=domain,DC=com
Trusted Contributor

Re: Active Directory and ILO2, I am almost there!!!!

If your "iLO User (dtest)" is in the group iLO, and the iLO group is in the "Users" container, then the "Directory User Context" should be:
CN=Users,DC=ad,DC=domain,DC=com.
The "Directory Server Address" is ad.domain.com. Verify that you can ping ad.domain.com. If not, DNS issue.
-Click on "Administrator Group" button. Point this to your iLO Group. iLO below is the "User Group". ie
CN=iLO,CN=Users,DC=ad,DC=domain,DC=com.
-Make sure popup blocker is disabled on the browser.
-Need to enable
"Initialize and script ActiveX controls not marked as safe for scripting"

Logon as ad\dtest or dtest@ad.domain.com.
Occasional Visitor

Re: Active Directory and ILO2, I am almost there!!!!

Hello everyone,

I´m almost having the same problem. I´m able to logon using full distinguished name or username@ad.domain.com. I have put up two "Directory User Context"

1 @ad.domain.com
2 OU=Users,OU=tech,DC=ad,DC=domain,DC=com

Why can´t I logon using only the user id instead of full name?

Re: Active Directory and ILO2, I am almost there!!!!

I have contacted HP support and have not gotten nearly as far as I have from the Forums but one thing they did tell me is that it is not supported i.e dtest. So you will need to login either (in my case) dtest@ad.domain.com or ad.domain.com/dtest. At least you have the @domain working. I can't even get that far.. I have to use the the CN of Test\,

If I am wrong on this please let me know...
Valued Contributor

Re: Active Directory and ILO2, I am almost there!!!!

One more note for Default Schema:
Using @domain.com in the user context only
works with HP Extended Schema which is what can prevent you from logging in with your user id.

Re: Active Directory and ILO2, I am almost there!!!!

Now I am using the the default schema (schema-less) so is HP wrong that I can't use just my user id?